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techUK’s Response to the ICO Direct Marketing Code of Practice Consultation 


Dear Sir/Madam 


techUK welcomes the opportunity to provide input to the ICO’s consultation on the draft Direct 
Marketing Code of Practice. techUK is the industry voice of the UK tech sector, representing more 
than 850 companies who collectively employ over 700,000 people, about half of all tech jobs in the 
UK. These companies range from innovative start-ups to leading FTSE 100 companies. The majority 
of our members are small and medium sized businesses. 


The work being conducted by the ICO to update the Direct Marketing Code, in particular the steps 
being taken to ensure the Code includes practical guidance as well as good practice examples and 
advice, is welcomed. However, there are some areas of the draft Code where further information and 
clarification is seen as necessary which are outlined further below in this response. 


There are also a number of overarching issues of concerns with the approach being taken in the draft 
Code that we would like to raise. These include the current scope and reach of the draft Code, the 
focus on consent throughout the document and the practical usability of the Code in its current format. 


Scope and reach 


With the approach being taken to address the direct marketing requirements of PECR as well as 
the requirements of the GDPR within a single Code there is a real concern that the proposed Code 
is attempting to go beyond simply providing guidance on direct marketing and is addressing wider, 
more distinct, issues relating to the broader online advertising ecosystem. 


For example, the draft Code appears to be taking the position that online behavioural advertising 
and some types of social media are direct marketing. Clearly direct marketing provisions are there 
to prevent people from receiving unwanted or unsolicited communications. That is however not the 
case with many ad-based free services as ads are a necessary part of the service being provided. 
By choosing to use the free services, consumers agree to accept the ads that fund those services. 
Therefore, advertising that is closely linked to the requested service, such as on free social media 
platforms, is not direct marketing and should not be regulated as such. 


Also, it is felt that the example of a “refer a friend” scheme (page 83) is focusing on issues related 
to online advertising rather than direct marketing. It is suggested the Code should recognise that 
the rules and requirements relating to direct marketing will not always apply to online advertising 
and should therefore be considered separately. 


The draft Code’s use of the broad term and definition of “direct marketing purposes” to cover a 
number of issues covered by both GDPR and PECR is also seen as problematic. For example, 
this broad definition includes the processing of personal data to send direct marketing 
communications and all processing activities which lead up to, enable and support sending those 
communications This approach could lead to a lack of clarity and certainty about the two activities 
and which legal bases that are available to which processing and what is required of organisations 
throughout the Code. It is suggested that the Code should keep a clear separation between PECR 
provisions regarding direct marketing, and the purpose of these provisions to protect individual 
against unsolicited communications, and the processing of personal data on the basis of GDPR. 


Focus on consent, 


It is felt that the draft Code favours consent as the most appropriate basis for most, and in some 
case multiple, direct marketing purposes including online behavioural advertising (including mobile 
apps) whether PECR or GDPR applies. For example, the draft Code refers to the benefits of 
having one lawful basis (consent) for direct marketing purposes while increasing peoples’ trust and 
confidence (page 31). However, it is the controller's responsibility to rely on the legal basis, or legal 
bases, as they deem appropriate throughout the steps of processing personal data. It is also 
important to highlight that the other legal bases come with built-in safeguards that provide 
transparency, choice and control for individuals. There is a concern that by tying a specific purpose 
for processing (direct marketing) to one specific legal basis (consent) the draft Code unnecessarily 
restricts the number of legal bases available to controllers under the GDPR. 


In a number of areas, such as the use of “Custom Audiences’, the draft Code does not recognise 
other legal basis that can be used for processing data such as legitimate interest, especially when 
the “Custom Audience” provider is a processor. Even though Recital 47 of GDPR states that “the 
processing of personal data for direct marketing purposes may be regarded as carried out for a 
legitimate interest”. 


The draft Code also does not recognise that different lawful bases can be used at different stages 
of data processing leading up to the sending of direct marketing. For example, an advertiser may 
rely on consent for the transmission of data to a controller via an online identifier, and the controller 
may rely on another basis such as contractual necessity or legitimate interest, to process onsite 
data for the purpose of direct marketing. The GDPR includes a range of legal bases that include 
specific safeguards in the context of direct marketing. For example, Articles 21 (2) and (3) includes 
a specific right to object where data is processed for direct marketing purposes. 


It is suggested that the draft Code should be amended to reflect throughout the document that 
consent is not the only legal basis that can be used for most direct marketing purposes and that 
other legal bases can be used. Without this amendment it is also possible that the Code will 
result in a significant increase in the number of consent requests that individuals will receive. This 
could lead to confusion by individual data subjects and could also negatively impact users 
experience for many online products, tools and services in particular those delivered by via Apps. 
For example, an individual could be faced with multiple consent requests from advertising partners 
involved in every app that they are using. Especially in a context where people using a free service 
accept to see advertisements as part of a service, a consent requirement would be 
disproportionate and undermine the value of consent cases where special attention is due. In such 
situations, personalisation of content including through advertising, would be seen as a core 
element of the contracted service and therefore contractual necessity can be used as an 
appropriate legal basis. 


It is suggested that the draft Code is reviewed and amended to reflect how different ecosystems, 
such as the App ecosystem, can provide users more control over how their data is being used ina 
way that is both user friendly as well as meeting the requirements of PECR and GDPR. 


In addition, another issue related to consent where the guidance could provide useful advice to 
organisations is in situations where a business process may contain a number of steps. It would be 
useful if the guidance could provide information and advice on whether users are able to provide, 
or withhold, consent for all the steps involved in a business process at the same time and if so how 
this could be practically achieved. 


Practical usability of the Code 


Given the sheer amount of issues and areas included in the Code there is a concern as to whether 
the full requirements the Code as proposed will be easily and practically operationalised by 
organisations, particularly SMEs in a timely manner. The sheer size of the Code itself also means 
the advice and requirements themselves can be difficult to navigate in its current form. It is 
suggested that a numbering format to the different area, or sections, of the Code could be helpful 
to organisations looking to find particular sections of the Code as and when needed. 


The inclusion throughout the Code of “good practice recommendations” and examples are 
welcomed and bring many aspects of the draft Code to life. However, given that these “good 
practice” suggestions are, in many areas through the Code, sitting alongside specific requirements 
that organisations must adhere to, it would be useful if the Code could make it clearer for 
businesses that may be looking to prioritise specific requirements, which examples and areas of 
the Code are optional and good practice only and which are legal requirements. 


In addition to the overarching issues raised above, below are the specific sections of the draft Code 
where techUK believe further clarification, information and guidance is needed: 


Due diligence (page 4, 53,63,64) 


The term “Due diligence” is used many times throughout the Code. However, further details when the 
term is being used through the Code would be seen as useful. For example, to help organisations 
better understand to what extent the steps taken by organisations to put in place mechanisms and 
safeguards would be taken into account by the ICO in mitigating any penalties in situations where 
there has been non-compliance by a third party which impacts a data controller. Also further detail is 
also sought on what due diligence may be required in relation to the provision of “enrichment 
services” as well as “data procurement” and “profiling or enrichment services’. 


Generating leads and collecting contact details (page 4) 


The draft Code states that privacy information must be provided “at the time you collect” their 
information. This advice appears to be a departure from previous guidance that has stated privacy 
information can be provided shortly afterwards. Clarification is sought on this point and whether the 
advice in this regard has changed. 


Profiling and data enrichment (page 5) 


The draft Code states that organisations are “unlikely to be able to justify tracing an individual in order 
to send direct marketing to their new address”. However, the Code does not make it clear whether this 
would be possible in situations where the consent of the individual has been given. It is suggested 
that the Code is amended to ensure there is clarity that tracing would be allowed if consent has been 
given. Also it is unclear whether this point should be included in the section on “Profiling and data 
enrichment’ rather than the section focusing on keeping data “accurate and up to date” as the 
purpose of tracing an individual would be to keep data as accurate as possible. 


Individual rights (page 6/105) 


While the Code is clear that the right to “object to direct marketing is absolute”, it does not provide any 
guidance or information to address situations where a customer may want to opt-out of receiving 
information through a specific channel (such as email) but is happy to receive information via other 
channels (such as telephone). Further clarification is sought on whether an organisation would have 
to opt-out an individual from all channels if an objection to direct marketing has been received. 


Is market research direct marketing (page 18) 


This section is clear that “Market research will not constitute direct marketing” where the purpose is 
for an organisation to use market research to make commercial decisions. However, it is unclear 
whether the market research conducted can also be used by third party organisations to make 
commercial decisions. Further clarification is sought on this section in this area. 


What are ‘service messages’? (page 19) 

Further information is required on what is considered “special offers” in this section of the Code. For 
example if an organisation was required, by a regulator, to send an individual information relating to a 
service being provided so that action can be taken that can save the user money, would this be still be 
considered a “special offer’? Additional detail would be welcomed in this section. 


Related to this issue, further clarification is sought on the hotel example on page 14 of the draft. It 
states that the hotel’s email to customers asking it they would like to consent to direct marketing must 


3 


comply with PECR consent rules. However, it is not clear how controllers can get this consent at any 
other time than when they first interact with the customer. It is unclear how they can refresh consent if 
they need to have consent to send the email to the guests to ask for consent. 


It is also suggested that the example of a GP surgery’s flu jab message as direct marketing (page 22) 
may need to be reviewed to avoid misinterpretation. It is suggested that given that there may be 
patients that are eligible, as part of direct patient care and not just simply as a service, to receive an 
annual flu jab, there is a risk that this example could result in GP surgery’s not contacting people who 
are eligible for a free flu jab as part of patient care rather than just simply as a service that is offered. 


Are regulatory communications direct marketing? (page 20) 


The draft Code appears to be suggesting that even when an organisation has been required by law , 
and by a specific Regulator, to send direct communications to individuals to meet a “regulatory 
obligation”, the rules of GDPR and PECR would still apply and take precedence. Further clarification 
is sought on the guidance in this area which is seen as a change in approach by the ICO based on 
previous advice to businesses in this area. It would be useful if the ICO could provide further 
information on whether other relevant authorities and regulators that could be impacted by the 
guidance in this area have been consulted on the draft Code. 


Do we need to complete a DPIA (page 28) 


The inclusion of a list of activities that would be involved in a DPIA is welcomed. However, it would be 
useful if the Code could provide further input, and guidance, perhaps also examples, on the areas 
listed. It is suggested that where this information is contained within the Code, hyperlinks (or 
signposting) should be included to assist organisations. 


For organisations, particularly SMEs, that may have limited resources, it would also be useful for the 
Code to list in this section the processing activities that automatically require a DPIA and the 
requirements that would only apply when combined with other criterion from the European guidelines 
on DPIAs. 


How do we decide what our lawful basis is for direct marketing? (page 29) 


The recognition in this section of the Code that the contract lawful basis “might be able to apply” for 
direct marketing is welcomed. However, this section of the Code then appears to contradict itself by 
stating that if you use this basis to supply goods that this “does not mean that you can also use this 
basis to send direct marketing”. It would be useful if the Code could be clearer that the contract lawful 
basis can be used. 


Can we use special category data for direct marketing? (page 38) 


The draft Code’s use of the loyalty card scheme example in this section suggests that a service can 
be designed so that providing consent to receive direct marketing can be a condition of agreeing to 
the services being offered. However, clearly this will be down to how the service itself has been 
designed and there will be other ways of doing this than simply a loyalty scheme. It would be helpful if 
the guidance could provide further clarification in this area on the specific circumstances where a 
service can be developed and designed to enable consent to be a condition to receive a service. 


It would also be useful if this section could provide an example to illustrate the point made at the end 
of the section in relation to whether you are able to “infer special category data” from the customer 
information you hold. 


How do we keep personal data we use for direct marketing accurate and up to date? (page 40) 


It is suggested that the list of information that needs to be recorded in this section could be 
streamlined in a way that would help organisations understand their requirements. In particular, for 
example, objections, opt-outs and withdrawals of consent are all the same action by individuals and 
the way organisations would record such action would be by using a suppression list. Amending this 
list could help to simplify the process for organisations. 


How long should we keep personal data for direct marketing purposes? (page 42) 


A good practice recommendation in this section states that “when sending direct marketing to new 
customers on the basis of consent collected by a third party” organisations should not “rely on consent 
that was given more than six months ago.”. It is not clear from this example when the six month period 
would apply from and also how this would work in practice. Further information and examples on this 
suggestion would be welcomed. 


What do we need to tell people if we collect their data from other sources? (page 48) 


The section of the Code relating to “Disproportionate effort” could be enhanced with examples to 
provide advice to organisations on the disproportionate effort that may be relied upon. 


It would also be useful if this section of the Code could provide clarification that it may not always be 
technically feasible to inform individuals that their data has been obtained through a third party. For 
example, if the information obtained is limited to an IP address or, in the case of online advertising, a 
unique identifier only. 


Can we enrich the data we already hold? (page 59) 


To assist organisations in this area it would be useful if the guidance could include specific examples 
of what is considered “unfair” and “fair” enrichment. 


Can we use data cleansing and tracing services? (page 61) 


The guidance in the Code on the use of data cleansing, to help organisations ensure data remains 
accurate, is welcomed. However, further clarity on how the requirements would be practically applied 
would be considered useful. For example, in a B2B scenario if a updated address has been found can 
this address then be used? Or would the use of this new address require further consent? Also further 
explanation would be welcomed in this section to help organisations better understand what is 
allowed in relation to when, and when not data tracing would be allowed. 


What due diligence do we need to consider when using profiling or enrichment services? 
(page 63) 


The draft guidance currently states that as part of the appropriate due diligence before using services 
in this area, organisations should seek to understand what a “third party’s DPIA” says. Given that 
DPIA’s are largely internal documents, which may contain sensitive organisational information, 
clarification in the Code is sought to ensure that it does not create an expectation that it will always be 
possible for organisations to share full details of a DPIA. It is suggested that the Code could be 
amended to suggest that, only where appropriate, certain sections of a DPIA might be able to be 
shared. 


Direct marketing by electronic mail (including emails and texts) (page 73) 


The retailer example in this section states that the second email connect was not compliant. However, 
this example seems to conflict the “soft opt-in” advice provided later in the Code (page 74). Further 
clarification is sought on this example regarding whether soft opt-in could be used in such situations if 
the “five requirements” on page 74 have been met. 


Does the does the soft opt-in apply to fundraising or campaigning? (page 78) 


In this section the Code states that soft opt-in only applies to commercial marketing of products and 
services and cannot be applied to “promotion of aims and ideals”. Further guidance is sought on 
whether it would apply in situations where a commercial entity is providing a product that is promoting 
“aims and ideals”. For example, this could include a report or white paper for consumers. Clarification 
on how the Code would apply in such a situation is sought. 


Can we ask individuals to send our direct marketing? (page 81/83) 


There is a real concern that the requirement for consent for “tell a friend” and “refer a friend” 
campaigns is disproportionate and excessive. While it is understood that a data controller would not 
be able to take information from an individual’s family, or friend, for future marketing without an 
appropriate legal basis, it is not clear why an individual is not able to simply share information, for 
example regarding a discount offer or code, with their friends or family. 


Given that such campaigns are driven by user activity, it is practically not possible for organisations to 
seek consent from users’ “friends” before they have even been referred by a user. Also, in such 
campaigns organisations simply provide the tools and means for a referral to be made. As it is 
currently written the draft Code appears to prohibit “refer a friend” schemes which can be a key tool 
for organisations to use, particularly SMEs, to generate customers. It is suggested that this section of 
the draft Code warrants further consideration and discussion before moving forward with such an 
approach. 


What do we need to know if we use cookies and similar technologies for direct marketing 
purposes? (page 87) 


The inclusion of “fingerprinting techniques’ in the list of technologies that can be used for direct 
marketing purposes is useful. However, further guidance in the Code would be welcomed on the use 
of canvas printing. While this technology may itself not directly identify a user, it can be applied at the 
browser level, as an alternative to the use of cookies. Further advice on the use of canvas printing in 
this section of the guidance would be welcomed. 


Can we target our customers or supporters on social media? (page 90) 


Clarification is sought on the draft Code’s requirements regarding “Custom Audiences”. The current 
draft Code appears to suggest that these practices require consent and that legitimate interest would 
no longer be able to be used in these situations. However, given that “Custom Audiences’ lists will be 
developed by organisations based on customers they already have a relationship with, it is not clear 
why legitimate interest would no longer apply here. Further explanation, and clarification, is sought 
that legitimate interest can be considered as an appropriate lawful basis for processing provided that 
“the three-part test of the legitimate interest basis” is satisfied? It would also be useful if the guidance 
could clarify the situation in this area where organisations are using hashed lists. 


The Code also states that if an individual has “objected to you using their personal data for direct 
marketing” then their data cannot be used to “target them on social media”. However, in a scenario 
where an individual has accepted cookies to receive personalised marketing, but has opted out of 
direct marketing, it is unclear which user preference would prevail. It would be useful if the Code could 
offer further guidance and clarity in this area. 


Can we target people on social media who are similar to our customers or supporters? (page 
91) 


The recognition in the draft Code that activities in relation to “lookalike” audiences is complex is 
welcomed. However, the Code’s suggestion that advertisers and social media platforms would be 
“joint controllers” is not supported. This is because both parties cannot reasonably be said to be jointly 
determining the purpose and means of processing. 


According to the European Court of Justice decision in the Fashion ID Case (C-210/16)' there cannot 
be any joint controllership without influence. In the ruling the Court looked at who determined the 
purpose and means of processing in a granular way. 


In the case of “lookalike” audience creation, the advertiser first collects and provides personal data to 
the social media platform as a separate and independent data controller. The advertiser determines 
the purpose and means of the processing solely, without the social media platform being able to 
influence theses. Therefore, the advertiser acts independently when processing its business contacts 
data, before and during the transfer to the social media platform. 


| https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-07/cp190099en.pdf 


The social media platform then, on their turn, alone determines the purpose and means of processing 
of the base audience data in order to provide a “lookalike” audience comprised of an entirely different 
dataset. This processing is entirely outside the advertisers control. Hence, the social media platform 
acts as an independent data controller when processing its user’s personal data. Given the way in 
which “lookalike” audiences are therefore created, the advertiser and social media platform cannot be 
considered joint controllers and the draft Code should reflect this. 


Selling or Sharing Data (page 99) 


Given that the selling and sharing of data are two clearly distinctive activities, that could raise different 
issues for individual data subjects as well as for organisations, it is suggested that this area of the 
draft Code requires further clarity and detail. Particularly on the distinctive issues and implications 
raised by the selling and sharing of data. 


Can we offer data broking services? (page 102) 


This section of the Code needs clarification as the guidance appears to be incompatible with the rights 
and obligations of data controllers. The Code appears to currently suggest that where consent has 
been given to pass data from a broker to another organisation for direct marketing, the obligation to 
assess the lawful basis for any subsequent marketing activities, relating to that data, would fall on that 
organisation (as a separate data controller). This is an area where further input and discussion is seen 
as needed. 


Exemptions (page 116) 

This is an area of the Code which is seen as underdeveloped and could be improved by the inclusion 
of some examples and scenarios. 

| hope this input is useful to the consultation process. techUK would be happy to discuss in more 


detail any aspect of the issues raised in this letter. 


Kind Regards 


techuk.or 


